Building The Perfect Home Router

When a favorite piece of hardware dies, it’s fairly common to experience a bit of dread. The thought that now you’ll have to go through the process of getting a replacement for the device can be very troubling, and is fraught with difficult questions. Is the hardware still available? Has it been made obsolete by something else in the time you’ve had it? But while it can be a hassle, there’s no question you can come out the other side better than you went in. Sometimes it takes the passing of an old piece of gear for you to really embrace what’s possible with the latest and greatest.

That’s exactly what happened to [Tyler Langlois]. When his trusty home router finally gave up the ghost, he was left with a couple of options. He could get another consumer router, upgrade to a enterprise-level model, or take the road less traveled and build his own router to his exacting specifications. Since you’re reading about it on Hackday, we’ll give you one guess as to which door he went through.

The blog post [Tyler] has written up about the saga of building his own router is an incredible resource for anyone who might be thinking of taking the plunge into DIY networking. From selecting the proper hardware to the nuances of getting all of the software packages installed, this is an absolute treasure trove. At the beginning of the post he mentions that the post shouldn’t be considered a comprehensive guide, but considering we’ve seen commercial hardware that wasn’t documented this well, we’d have to respectfully disagree on that point.

Some elements of his homespun may come as something of a surprise. For one, [Tyler] bucked the hive mentality and determined the Raspberry Pi simply wasn’t up to the task due (at least in part) to the single 100 Mbps network interface. He ended up going with an ESPRESSObin, a relatively niche Linux SBC that features an onboard gigabit switch in addition to a fairly hefty spec sheet. He also decided to forgo WiFi entirely, and leave the intricacies of wireless networking to a standalone access point from Ubiquity.

Post navigation

40 thoughts on “Building The Perfect Home Router”

“A router is often overlooked as just another piece of consumer kit sitting around the house, but it’s actually an excellent place to flex your creative and technical muscle. From adding a remote display to converting it into a mobile battle tank, there’s a lot more you can do with your router than stare at the blinkenlights.” — I just like to run additional/custom software on mine, like e.g. I’ve been running my Mumble-server on my routers for years now. I did, however, take my Buffalo WBMR-HP-G300H ADSL-modem apart after I retired it, removed the LEDs and redefined them in the device-tree file as regular GPIO-pins instead so I could use some SPI-devices and drive a relay with them instead. Never ended up actually using it for anything, though, just played with it for a bit and lost interest.

First and most important reason why you should never just overlook your router is security. When your ISP gives you router, be sure it’s the cheap underpowered hardware with poorly maintaned firmware and prone to security breaches, sometimes even havin backdoors for “remote assistance”. My solution is to always switch ISP’s router to bridge mode (disabling any routing and home network access, leaving only VDSL modem role) and add another decent quality router behind it to do NAT, DHCP, firewalling and other stuff router should do. I think anyone who’s security policy is not “I don’t care” should do the same.

Two. A third one could be added via PCI-e.
Why do you need that many?
I use one for WAN and one for LAN. The LAN one goes to the 24-port switch that supplies my house.
The rest is internal virtual bridges and VLANs.
As both the firewall and the servers are virtualized via Proxmox, I don’t need an extra port for the DMZ.

Or you get lucky and your connection from the ISP is ethernet. But yes, I threw out the stock all-in-one router which was the perfect example of an underspecced ISP-provided device. For my gigabit connection they provided a device with 802.11g wifi meaning I could use maybe 2% of my internet connection’s bandwidth over wifi. That got chucked in favour of pfsense and a WRT1900ACS which can give me more like 70% of my connection’s bandwidth over wifi.

I got this Fritz!Box cable-modem from my ISP, which was pretty locked down, with a lot of the functionality the OS allows for removed. Even though I’m very much not a security-researcher or anything, I still managed to break into the box with relative ease and all through software-means and no admin-rights needed. With no option to replace the modem, I configured one of the Ethernet-ports into bridge-mode and chucked in a proper router with OpenWRT/LEDE on it.

I just supplied my own router and modem. Aside from not having the ISP’s fingers in my pie, both units are from reliable companies that actually update their firmware more than once a year. A final benefit is that you don’t have to pay a rental fee to the ISP which saves a decent chunk of change on the bill. Some ISPs are more forgiving/supportive of this so ymmv.

Modems and there build in firewalls are as trustworthy as the ISP or anyone who can ask the ISP for access to the device. At that point the firewall is mood and it’s just a device directly on your LAN, or even between your own devices when the modem is also uses as a switch. Using your own ADSL modem or your own firewall after the ISP modem sounds like a sensible idea.

look for ‘mcdebian’ on linksys routers. its a FULL debian, with apt-get and all that goodness. boot is flashed to router; rootfs runs from usb stick on router. works great and is not a single image like the lede stuff is.

Perhaps try Armbian, which is pure Debian, for Espressobin. It has far the best support out of the box. Better (kernel) than any dedicated routerOS -> https://twitter.com/armbian/status/991205578813968385 plus you can easily build your custom Debian or Stallman-ised Ubuntu with a kernel from sources and/or use some Debian-top based firewall software or even better – containerized OpenWRT or similar.

I’m squinting sideways at the MicroSD storage. It’s doable, but I’d want to make sure I have an up-to-date backup strategy, OR make certain I’ve optimized for minimal writes. My experience with OS installs on read-write SD and thumb drives is that they’re fine almost all the time, but when your usage extends to years, you’ll get weird things, like a file goes missing, or contains an unexpected block of zeros – or the device just stops working entirely for some reason. Unfortunately, my “fleet” isn’t big enough to get a sense of whether this correlates with whoever’s brand is on the device, but I doubt that matters if you’re ordering off Amazon (you’ll probably get a counterfeit anyhow).

Wow, it’s been ages since I looked at PCEngines from Switzerland; but it seems they’re still alive and well. I remember the ALIX series where (if memory-serves) were based on the x86 AMD Geode series. The PCEngines boards are worth MUCH consideration because they are x86 compatible out of the box (no ARM Nightmares), Open-Source (mostly), and quite affordable (<$140 various models). I recommend (from past experience) the following: Develop in FreeBSD, then deploy in OpenBSD. You will need to (at-least) know BSD's PF and ALTQ to manage your firewall/traffic-management (no, xBSD is NOT Linux – optimally). Or at-least that's the way it used to be.

It's been awhile. Today I see some of the newer PCEngines boards have a decent amount of RAM. So as a Home or SOHO user it may be possible to virtualize/jail/bastion your exposed framework and apply robust kill-switch rules. But remember, when it comes to kill-switches – speed (or lack of it) can kill you!

I actually REALLY like the idea of having a seperate router to act as the “brains” and a seperate wireless AP. Does anyone know of a router (with switch or simple internet in / internet out will do) that runs DDWRT and is powerful enough to do bandwidth monitoring for like 20 users? Something to do just the brain bits.

I’ve been using DIY Linux routers for decades, and UniFi APs for years. It’s a great combination. One thing that you notice with more experience is that not all Ethernet cards are created equal. For example if you care about the most accurate possible time clocks, you want an Ethernet card that supports hardware timestamping, which ntp can use. That’s why I prefer at least something with a proper expansion slot, so that you can choose components. There are many smaller Intel boxes that come with far less than full size footprints and power draws but still have an expansion slot.

Despite my history with computers, networking is just too weird for me to understand properly. That said, Mikrotik may not have FOSS but the hardware is solid for the price, <$100 for 5 port gigabit, and the software is enterprise class.

EspressoBin looks cool, but I’m somewhat suspicious about the routing performance. As far as I can see there’s only one network chip handling all 3 NICs. The WAN seems to be Ethernet (100Mbit/s) while LAN NICs are GigE?
Seems like a cool board, but I would not use it myself for a router.
APU2D4 is a bit more powerful alternative https://teklager.se/en/products/router-components/pc-engines-apu2d4 (that’s what I’m using). And also gives you access to the source code of the BIOS, so it’s really secure.